Hallo zusammen,
will meinen vServer noch einige Dienste (FTP und SMTP) mit TLS/SSL absichern. (netcup Debian+SysCP Image)
Wollte als erstes den Proftp Server mit FTPS absichern.
proftpd.conf
Code
Include /etc/proftpd/modules.conf
UseIPv6 on
IdentLookups off
ServerName "XXX.yourvserver.net FTP Server"
ServerType standalone
DeferWelcome off
MultilineRFC2228 on
DefaultServer on
ShowSymlinks on
TimeoutNoTransfer 600
TimeoutStalled 600
TimeoutIdle 1200
DisplayLogin welcome.msg
DisplayChdir .message true
ListOptions "-l"
DenyFilter \*.*/
Port 21
MaxInstances 30
User proftpd
Group nogroup
Umask 022 022
AllowOverwrite on
TransferLog /var/log/proftpd/xferlog
SystemLog /var/log/proftpd/proftpd.log
<IfModule mod_quotatab.c>
QuotaEngine off
</IfModule>
<IfModule mod_ratio.c>
Ratios off
</IfModule>
<IfModule mod_delay.c>
DelayEngine off
</IfModule>
<IfModule mod_ctrls.c>
ControlsEngine off
ControlsMaxClients 2
ControlsLog /var/log/proftpd/controls.log
ControlsInterval 5
ControlsSocket /var/run/proftpd/proftpd.sock
</IfModule>
<IfModule mod_ctrls_admin.c>
AdminControlsEngine off
</IfModule>
Include /etc/proftpd/sql.conf
#
# This is used for FTPS connections
# die folgende Zeile habe ich noch eingefügt !
# der rest ist von der standart Vorlage
Include /etc/proftpd/tls.conf
Alles anzeigen
tls.conf
Code
#
# Proftpd sample configuration for FTPS connections.
#
# Note that FTPS impose some limitations in NAT traversing.
# See http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html
# for more information.
#
<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/proftpd/tls.log
TLSProtocol SSLv23
#
# Server SSL certificate. You can generate a self-signed certificate using
# a command like:
#
# openssl req -x509 -newkey rsa:1024 \
# -keyout /etc/ssl/private/proftpd.key -out /etc/ssl/certs/proftpd.crt \
# -nodes -days 365
#
# The proftpd.key file must be readable by root only. The other file can be
# readable by anyone.
#
# chmod 0600 /etc/ssl/private/proftpd.key
# chmod 0640 /etc/ssl/private/proftpd.key
#
#TLSRSACertificateFile /etc/ssl/certs/proftpd.crt
#TLSRSACertificateKeyFile /etc/ssl/private/proftpd.key
#TLSRSACertificateFile /etc/apache2/apache.crt
#TLSRSACertificateKeyFile /etc/apache2/apache.key
#
# CA the server trusts
#TLSCACertificateFile /etc/ssl/certs/CA.pem
TLSCACertificateFile /etc/apache2/ssl/apachessl.pem
# or avoid CA cert
TLSOptions NoCertRequest
#
# Authenticate clients that want to use FTP over TLS?
#
TLSVerifyClient off
#
# Are clients required to use FTP over TLS when talking to this server?
#
TLSRequired on
#
# Allow SSL/TLS renegotiations when the client requests them, but
# do not force the renegotations. Some clients do not support
# SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
# clients will close the data connection, or there will be a timeout
# on an idle data connection.
#
#TLSRenegotiate required off
</IfModule>
Alles anzeigen
tsl.log
Code
Feb 26 19:36:34 mod_tls/2.1.2[8185]: SSL/TLS required but absent on control channel, denying command
Feb 26 19:37:00 mod_tls/2.1.2[10376]: SSL/TLS required but absent on control channel, denying command
Feb 26 19:37:12 mod_tls/2.1.2[10999]: TLS/TLS-C requested, starting TLS handshake
Feb 26 19:37:12 mod_tls/2.1.2[10999]: unable to accept TLS connection:
(1) error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
Feb 26 19:37:12 mod_tls/2.1.2[10999]: TLS/TLS-C negotiation failed on control channel
Feb 26 19:37:17 mod_tls/2.1.2[11275]: TLS/TLS-C requested, starting TLS handshake
Feb 26 19:37:17 mod_tls/2.1.2[11275]: unable to accept TLS connection:
(1) error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
Feb 26 19:37:17 mod_tls/2.1.2[11275]: TLS/TLS-C negotiation failed on control channel
Feb 26 19:38:08 mod_tls/2.1.2[18481]: SSL/TLS required but absent on control channel, denying command
Feb 26 19:38:34 mod_tls/2.1.2[20268]: SSL/TLS required but absent on control channel, denying command
Feb 26 19:41:08 mod_tls/2.1.2[624]: TLS/TLS-C requested, starting TLS handshake
Feb 26 19:41:08 mod_tls/2.1.2[624]: unable to accept TLS connection:
(1) error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
Feb 26 19:41:08 mod_tls/2.1.2[624]: TLS/TLS-C negotiation failed on control channel
Feb 26 19:42:34 mod_tls/2.1.2[7878]: TLS/TLS-C requested, starting TLS handshake
Feb 26 19:42:34 mod_tls/2.1.2[7878]: unable to accept TLS connection:
(1) error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
Feb 26 19:42:34 mod_tls/2.1.2[7878]: TLS/TLS-C negotiation failed on control channel
Feb 26 19:42:39 mod_tls/2.1.2[8173]: TLS/TLS-C requested, starting TLS handshake
Feb 26 19:42:39 mod_tls/2.1.2[8173]: unable to accept TLS connection:
(1) error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
Feb 26 19:42:39 mod_tls/2.1.2[8173]: TLS/TLS-C negotiation failed on control channel
Alles anzeigen
Kann sein das ich noch das modul: mod_tls installieren muß ?
Wie installier ich das an einfachsten.
wenn ich proftpd -l eingebe kommt:
Code
Compiled-in modules:
mod_core.c
mod_xfer.c
mod_auth_unix.c
mod_auth_file.c
mod_auth.c
mod_ls.c
mod_log.c
mod_site.c
mod_delay.c
mod_dso.c
mod_auth_pam.c
mod_readme.c
mod_cap.c
mod_ctrls.c
mod_lang.c
Alles anzeigen
Als Zertifikat habe ich das von Apache genommen. Habe den verdacht das das nicht geht. Welches kann ich denn zum testen nehmen ?
Danke schon mal im voraus.
Ach im Apache2 access.log ist mir auch schon was aufgefallen.
Code
203.200.180.74 - - [25/Feb/2010:15:06:09 +0000] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 390 "-" "-"
74.86.23.51 - - [26/Feb/2010:08:56:43 +0000] "GET /w00tw00t.at.ISC.SANS.test0:) HTTP/1.1" 400 390 "-" "-"
67.43.5.33 - - [26/Feb/2010:09:10:27 +0000] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 390 "-" "-"
203.200.180.74 - - [26/Feb/2010:16:21:02 +0000] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 390 "-" "-"
203.200.180.74 - - [26/Feb/2010:19:39:32 +0000] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 390 "-" "-"
203.200.180.74 - - [26/Feb/2010:20:01:30 +0000] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 390 "-" "-"
203.200.180.74 - - [26/Feb/2010:20:23:36 +0000] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 390 "-" "-"
Nicht das mein Server schon gehackt wir, bin erst gerade am einrichten.
Gruß